cbcvebase.
CVE-2021-40651
published 2021-09-29

CVE-2021-40651: OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from…

PriorityP354medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
18.41%
96.9th percentile
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.

Affected

1 ranges
VendorProductVersion rangeFixed in
os4edopensis

Detection & IOCsextracted from sources · hover to see the quote

url/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=
path/Modules.php
sigma
regex('root:.*:0:0:', body)
  • Look for path traversal sequences ('%2f..%2f' or '/../') in the 'modname' GET parameter of requests to Modules.php, particularly targeting sensitive files such as /etc/passwd.
  • Exploitation requires prior authentication as the 'Parent' user role. Monitor for login attempts to /index.php followed immediately by traversal requests to /Modules.php.
  • Use Shodan/FOFA queries to identify exposed OpenSIS instances: Shodan 'title:"openSIS"' or FOFA 'title="opensis"', then probe for the LFI pattern in Modules.php.
  • A successful exploitation response will contain the string matching 'root:.*:0:0:' in the HTTP response body, indicating /etc/passwd file disclosure.
  • ·Exploitation requires an authenticated session as the 'Parent' user role; unauthenticated exploitation is not possible.
  • ·The LFI is limited to files readable by the web application process; files with restricted OS permissions cannot be disclosed.
  • ·The vulnerability was tested on both Windows and Linux platforms, so traversal payloads and target file paths may differ per OS.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.